Kickstarter hacked. Users told to change passwords

This weekend, crowdfunding website Kickstarter issued what it called “an important security notice”, but what most of the rest of us would more easily recognise as an announcement that it had been hacked.

Part of the notice read:

On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.

No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts.

While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.

As a precaution, we strongly recommend that you create a new password for your Kickstarter account, and other accounts where you use this password.

There are some interesting points here, which are worth examining one by one.

Firstly, Kickstarter didn’t know it had been hacked. Law enforcement told them.

Was this because the authorities had been tipped off by some kind soul who had stumbled across the security breach? Or had the computer cops seen hackers exploiting information which had been taken from Kickstarter? Or was it that evidence of the hack had been discovered online (perhaps as criminals were attempting to sell access to the information?)

Nobody is saying right now, but it’s interesting that Kickstarter’s own systems had not alerted them to the problem, and they had to be tipped off by the authorities on Wednesday night.

Secondly, no credit card data was accessed. Thank goodness for that. Clearly that would have been a much worse situation.

But don’t forget – usernames, email addresses, mailing addresses, and phone numbers were exposed. And that’s enough for an online criminal to put together a sophisticated social engineering attack, perhaps pretending to be a company that you were interested in investing in on Kickstarter.

Thirdly, we don’t know how much data the hackers accessed. But it would seem sensible to presume the worst, and that all user records are potentially at risk. Kickstarter says it has only seen unauthorised activity on two user accounts, and yet it is recommending that all users take action regarding their passwords.

Older passwords were uniquely salted and digested with SHA-1 multiple times. More recent passwords are hashed with bcrypt.

That means the passwords were not simply encrypted but actually cryptographically hashed. That makes it harder (but not necessarily impossible) for a hacker to crack your password and exploit it. Hopefully Kickstarter will take the opportunity of this security breach to re-examine how it is storing its users’ password information and adopt more secure systems in future.

Fifth, stop using easy-to-crack passwords or the same password in multiple places. The problems caused by a hack like this are compounded by users’ tendencies to re-use passwords.

Using the same password for Kickstarter as you use for, say, your eBay account or email inbox is frankly disastrous behaviour. If you haven’t already done so, get some good password management software which can help you generate hard-to-crack, complex, long passwords and then do all the difficult remembering of them on your behalf.

Finally, Kickstarter didn’t tell anyone until Saturday. It’s a long holiday weekend in the United States (Monday is President’s Day) which means many people probably won’t be catching up with their technology news fix until Tuesday at the earliest. Kickstarter could have said something on Thursday or Friday, but didn’t. It waited until Saturday instead.

Now, it’s perfectly reasonable that any company which has had its users’ information stolen would want to get its ducks in order, and be absolutely certain it understand what had been taken and what hadn’t, so it doesn’t find itself in the embarrassing position of having to later go back to the press and admit things are worse than they first thought.

But the cynical amongst us might wonder if Kickstarter’s corporate PR team saw some benefit in burying the embarrassing news of a security breach at the start of the holiday weekend, making the story “less sexy” for when tech journalists returned to their laptops on Tuesday morning.

For its part, Kickstarter is defending its delayed announcement, saying:

We immediately closed the breach and notified everyone as soon we had thoroughly investigated the situation.

Of course, the delay does mean that the criminals have four days’ head start over anyone who had their details exposed by the security breach.

During those four days – if you were unfortunate enough to be using your Kickstarter password on other websites – the criminals could have accessed your other online accounts, and stolen information from them. Furthermore, there was nothing to stop them from spamming you with malicious links or phishing attacks, as they now know your email address and other pieces of personal information.

Take care folks, and if you’re a Kickstarter user now would be a great time to change your password.

Let’s leave the last word to Kickstarter:

We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again.

I’m sure all of us wouldn’t wish a security breach like this on any technology company. Although Kickstarter’s users are victims of this attack, so is Kickstarter itself. Let’s hope that the authorities are successful in identifying who is responsible – and bringing them to justice.

Do you think it would be smarter for KickStarter to force password changes for all its users as opposed to making an appeal. And what are your thoughts on password managing apps. Do you approve of them or are they too a security risk?

http://dharley.wordpress.com/ David Harley

Graham doesn’t yet have moderator privileges, and I’m not claiming to speak for him, but personally I think a forced password change would certainly be preferable. The question of password manager apps is a bit trickier. They do work well for some people, but they are a single point of failure, and some are safer than others. (Some aren’t safe at all!) It would be good to have an article specifically on this topic up here at some point- we have discussed it- but so far it hasn’t happened.

http://grahamcluley.com/ Graham Cluley

Thanks for the message Carl.

I don’t see why Kickstarter wouldn’t force a password reset on its users (I think that’s a better option than choosing new passwords for affected users), but it is important for a loud message to get out there to victims telling them that they may have to take action on sites *other* than Kickstarter if they’ve been unwise enough to re-use passwords.

I’m a big fan of password managers personally. Although there are risks associated with them, I think it’s a much bigger risk for most people if they are required to dream up their own passwords or asked to remember them.

Of course, you always need to ensure that you have properly protected your password manager with a super-strong password itself!